Only particular failure - WAN issues
I have set up two nodes CARP. Works fine so far.
Going on "Status -> CARP (failover)" I can see the current state. Clicking (on the current master) "Enter persistent CARP maintenance mode" if fails over to the second node and there is only a minimal interruption in network connection.
BUT when I simulate the failure of a single NIC (ie by disabling the switch port) the secondary takes control of the failing interface and is now master for just this interface. Sounds good.
But unfortunately no Internet/ WAN connection can be done at this stage. LAN can reach the virtual IP (now at the secondary pfsense) but it can not go further into direction of the WAN.
I assume this has something to do with my NAT configuration. I have created a CARP interface for WAN, too. Virtual IP there is .99. To which IP-address do I have to configure my NAT?
When configuring it for .99 (virtual) it is failsafe. But is does not cover the "single interface failure" I tested above (because it NATs to .99 on both active WAN interfaces).
When configuring it for the correct address (.201 for master .202 for backup) connections will be lost during a failover, right?
So what might be the solution for this scenario?
Is the primary node actually seeing the interface go down? That is what is necessary to trigger a failover. It will fail over just fine with an actual interface failure. Even only one of many.
CARP does not protect against a failure at Layer 2. That is up to you to provide Layer 2 redundancy in addition to Layer 3.
It has zero to do with NAT.